More than 24 million Nigerian user accounts have been compromised in data breaches since 2004, placing the country third among the most affected nations in Sub-Saharan Africa, according to a new report by cybersecurity firm Surfshark. The findings, drawn from an analysis of global breach trends for the first quarter of 2026, arrive alongside a separate warning from Nigeria's national technology agency about a sophisticated AI-powered malware strain actively targeting financial institutions, government agencies and private individuals across the country.
The Scale of Exposure: What the Numbers Reveal
Surfshark's Q1 2026 report recorded 281,500 Nigerian accounts leaked between January and March alone, positioning Nigeria as the 34th most breached nation globally during that period. Cumulatively, approximately 7.5 million unique email addresses linked to Nigerian users have been exposed since 2004, while around 13 million passwords were leaked alongside those compromised accounts.
The categories of data exposed go well beyond usernames and passwords. Surfshark's findings identified roughly 3,900 Social Security-related records and 1,600 payment card details among the leaked information, alongside 1.9 million phone numbers and more than 925,000 residential addresses. That combination of financial identifiers and physical location data creates conditions favourable for identity theft, account hijacking, targeted extortion and financial fraud - risks the report identifies as ongoing for more than half of all affected Nigerian users.
The report's statistical summary is direct: statistically, 10 out of every 100 Nigerians have been touched by a data breach. For a country of over 200 million people, that figure represents a systemic vulnerability, not an isolated incident. Globally, the same quarter saw 210.3 million accounts breached - a sharp rise compared to earlier periods - with the United States accounting for 29 per cent of worldwide reported breaches, followed by France, India, Brazil and the United Kingdom.
DeepLoad: When Malware Learns to Hide
The National Information Technology Development Agency (NITDA) has issued a critical advisory warning Nigerians about a threat that compounds the risks exposed in the Surfshark data. DeepLoad, described by NITDA's Computer Emergency Readiness and Response Team (CERRT.NG) as an AI-enhanced malware strain, is designed to infiltrate systems, harvest sensitive credentials and evade conventional antivirus detection - three capabilities that, combined, make it significantly more dangerous than standard malware.
DeepLoad spreads through social engineering: users encounter fake website error messages that prompt them to paste commands into their computers. Once executed, the malware installs silently, extracts stored passwords and sensitive data from major browsers, and uses artificial intelligence to disguise itself from security software. What makes it especially difficult to contain is a hidden persistence mechanism built on Windows Management Instrumentation (WMI), which can reactivate the infection up to three days after it appears to have been removed. A user or IT administrator who believes they have cleaned an infected system may find it compromised again within 72 hours.
A successful DeepLoad infection can grant cybercriminals unauthorised access to bank accounts, mobile money services and payment cards. For Nigerian users, whose financial activity has shifted substantially toward digital platforms over the past decade, the potential damage is considerable.
Practical Steps and the Broader Challenge
NITDA's advisory outlines several protective measures:
- Never paste commands sourced from websites into a computer terminal - no legitimate software provider requires this
- Avoid opening files labelled "Chrome Setup" or "Firefox Installer" from USB drives or unverified sources
- Scan all external storage devices with antivirus software before use
- Enable two-factor authentication on important accounts
- Avoid storing banking passwords directly within web browsers
These recommendations are sound, but they place the burden of defence almost entirely on individual users - a structural limitation that reflects the broader challenge facing cybersecurity in Nigeria. As digital financial inclusion expands and more Nigerians conduct sensitive transactions online, the attack surface grows. Regulatory frameworks and institutional responses need to keep pace with the technical sophistication of threats like DeepLoad, not simply follow them. Data breach accumulation over two decades, now surfacing in detailed quarterly reports, makes the cost of inaction measurable and visible. The question is whether that visibility translates into coordinated institutional action.
